A high-volume cyberattack has put global corporations on alert as hackers linked to the Cl0p ransomware gang target executives through extortion campaigns.
The attackers claim to have stolen sensitive data from Oracle’s E-Business Suite applications, which are widely used to manage financial transactions, supply chains, and customer records.
According to security researchers, the hackers are sending extortion emails to company leaders demanding payments to prevent the release of compromised files.
One such demand reached $50 million, though so far no victim has been confirmed to have paid.
Emails sent to company executives
Alphabet’s Google confirmed that hackers are contacting executives at numerous organisations, alleging that they have exfiltrated confidential data from Oracle’s systems.
In a statement, Google described the campaign as “high-volume” but said it does not currently have sufficient evidence to verify the claims.
The emails, which began appearing on or before 29 September, were distributed via hundreds of compromised third-party accounts and share characteristics consistent with previous Cl0p operations.
Investigators noted that the attackers appear to have abused Oracle’s default password-reset function to gain valid credentials for internet-facing portals of the E-Business Suite.
The extortion notes, written in poor English and containing grammatical errors, included screenshots and file trees as supposed proof of access. Contact details embedded in the messages also match those previously associated with Cl0p.
Ransom demands and data theft risks
Cybersecurity firm Halcyon reported that ransom demands have been in the seven- and eight-figure range, with one demand as high as $50 million.
The attackers’ tactic is not limited to encrypting files but involves mass data theft, which can increase pressure on victims to pay. If companies refuse, stolen data could be leaked or sold, creating further regulatory, financial, and reputational damage.
While Google and Halcyon have both linked the campaign to Cl0p, researchers stressed that the full scale of the breach remains unclear. Neither Oracle nor Cl0p responded to requests for comment.
Cl0p’s history of large-scale breaches
Cl0p is known for exploiting vulnerabilities in widely used enterprise software. In 2023, the group carried out a mass attack on the MOVEit file-transfer tool, claiming data from hundreds of organisations including Shell, British Airways owner IAG, and the BBC.
Following that incident, the US Cybersecurity and Infrastructure Security Agency described Cl0p as one of the world’s largest distributors of phishing and malspam, estimating it had compromised more than 3,000 organisations in the US and 8,000 globally.
The current campaign highlights how cybercriminal groups are increasingly focusing on the enterprise platforms that form the backbone of corporate operations.
By compromising applications like Oracle’s E-Business Suite, attackers gain potential access to the most sensitive financial and operational data within large companies.
The scale of ransom demands — and the fact that executives themselves are being directly targeted — shows the high stakes involved for organisations dependent on these systems.
The post Hackers exploit Oracle systems, executives hit with ransom demands appeared first on Invezz